Google Chrome exploit fetches “Pinkie Pie” $60,000 hacking prize

A win for Pinkie Pie and Google, as a fix is released within 12hrs of the exploit.

An image displayed on a computer after it was successfully commandeered by Pinkie Pie during the first Pwnium competition in March.

Dan Goodin

A hacker who goes by "Pinkie Pie" has once again subverted the security of Google's Chrome browser, a feat that fetched him a $60,000 prize and resulted in a security update to fix underlying vulnerabilities.

Ars readers may recall Pinkie Pie from earlier this year, when he pierced Chrome's vaunted security defenses at the first installment of Pwnium, a Google-sponsored contest that offered $1 million in prizes to people who successfully hacked the browser. At the time a little-known reverse engineer of just 19 years, Pinkie Pie stitched together at least six different bug exploits to bypass an elaborate defense perimeter designed by an army of some of the best software engineers in the world.

Pounding on sand

Even then, Pinkie Pie encountered a predicament that is growing increasingly common among software exploiters. A security sandbox acts as a boundary that quarantines HTML and other types of browser content so it doesn't interact with more sensitive parts of a computer's operating system. And Chrome utilized one that prevented Pinkie Pie's exploit from doing much more than crashing the machine. With Microsoft's Internet Explorer and Apple's Safari browser offering similar defenses, the ability to craft drive-by Web exploits that remotely execute malicious code is getting significantly harder. A comprehensive study from last year found Google's sandbox was far more restrictive than Microsoft's, although some people have discounted that finding because the report was commissioned by Google.

To work around this limitation and actually gain control of the system, Pinkie Pie targeted a second bug, this one in Chrome's interprocess communication layer. Because his exploit relied only on code that is included with Chrome, the attack once again qualified for the top $60,000 prize specified under the Pwnium rules.

"We'd like to thank Pinkie Pie for his hard work in assembling another great Pwnium submission," Evans wrote. "We'll post an in-depth look at the bugs used and subsequent mitigations once other platforms have been patched."

Pinkie Pie was the sole winner this time around, but based on a Twitter dispatch from self-described "vulnerability assassin" Nikita Tarakanov, a freshly fixed vulnerability in Adobe's Flash Player scuttled his Pwnium plans during day one of the competition. Google Chrome is notable for packaging a custom version of Flash and providing security fixes for it before Adobe patches other Flash versions.

All told, it took just 12 hours from the time Pinkie Pie's attack was demonstrated to the time Google engineers released a fix. If that's not a record, it's better than the weeks or months it can take Mozilla, Microsoft, and Apple to patch their browsers against similarly devastating bugs.

All told, it took just 12 hours from the time Pinkie Pie's attack was demonstrated to the time Google engineers released a fix. If that's not a record, it's better than the weeks or months it can take Mozilla, Microsoft, and Apple to patch their browsers against similarly devastating bugs.

Absolutely agree! Between this and the WoW 4-hour patch deployment, this is a good week for security fixes. Oracle could certainly learn a little from this model as well.

All told, it took just 12 hours from the time Pinkie Pie's attack was demonstrated to the time Google engineers released a fix. If that's not a record, it's better than the weeks or months it can take Mozilla, Microsoft, and Apple to patch their browsers against similarly devastating bugs.

This is very good news, but I still recall from the HBGary Federal fiasco that they had several day-zero windows bugs to exploit, and it seems that every day we hear of a new Flash or windows exploit that can take control of your computer.

What's ncie about Chrome is that I bet 90+ % of people are running a version that has already been patched. No download, update, reboot required. Just a re-launch.

Remind me again why IE so tightly ingrained into the OS?

IE has been largely decoupled from the OS other than being installed with it. It is considered still a component of windows, but can be turned on or off from the features menu. There are many things that make use of IE via embedded browser controls (help viewers, various other screens and and utilities in windows, .NET framework browser control, etc..) so it would break a lot of stuff to just remove it totally.

That being said, what does tight integration have to do with updates? You probably don't use IE, but it does automatically update now.

Microsoft? Why? IE9 and IE10 are sandboxed and pretty damn secure. Infact I had a verizon wireless phishing scam site get blocked by IE but come up just fine in FF and Chome. I am sure IE is exploitable, just as firefox, chrome, and safari are, but if we are going to go on a security flaw bashing bender here, can we at least be honest and say Sun and Adobe NEEDS to hire him??? I would have to say 90% of browser based malware infections are due to plugins from those 2 companies.

What makes him so good? I wish I was smart enough to make now $120,000 in two competitions. Good for him!

"He codes by sense of smell?" (Bad Who reference, I know...)

The Who was the first thing I heard there as well.

As for $120k for two competitions, consider that he had to find eight security flaws that he could string together for these two wins. That's $15k/flaw, before tax. Good scratch for a 19 year old, but he's earning every penny.

IE has been largely decoupled from the OS other than being installed with it. It is considered still a component of windows, but can be turned on or off from the features menu. There are many things that make use of IE via embedded browser controls (help viewers, various other screens and and utilities in windows, .NET framework browser control, etc..) so it would break a lot of stuff to just remove it totally.

"Turning off" IE pretty much entails removing the iexplore.exe stub file. All of the major components remain.

Sure, removing it would break a lot of things, but, isn't that kinf of the problem with this design in the first place?

Not sure why Mozilla is in that list? Firefox even has a name for quick updates of security vulnerabilities, "chemspill". Those patches are sent out very fast, not "weeks or months".

I'd like to think Mozilla is faster at security upgrades now than they were back in the day but it did take them almost five years to implement httponly cookies, for example. I'm sure more than a few Firefox users got screwed by XSS cookie theft at the time.

That's a pretty old example though, so hopefully the author is relying on something more recent for that claim. Or hopefully not, for Firefox users.

IE has been largely decoupled from the OS other than being installed with it. It is considered still a component of windows, but can be turned on or off from the features menu. There are many things that make use of IE via embedded browser controls (help viewers, various other screens and and utilities in windows, .NET framework browser control, etc..) so it would break a lot of stuff to just remove it totally.

"Turning off" IE pretty much entails removing the iexplore.exe stub file. All of the major components remain.

Sure, removing it would break a lot of things, but, isn't that kinf of the problem with this design in the first place?

del iexplore.exeren firefox.exe iexplore.exe will restore most of the missing functionality.

Not sure why Mozilla is in that list? Firefox even has a name for quick updates of security vulnerabilities, "chemspill". Those patches are sent out very fast, not "weeks or months".

I'd like to think Mozilla is faster at security upgrades now than they were back in the day but it did take them almost five years to implement httponly cookies, for example. I'm sure more than a few Firefox users got screwed by XSS cookie theft at the time.

That's a pretty old example though

I'm not that familiar with the history of HttpOnly, but a quick search finds

which says Firefox supported it since 3.0.0.6, that is, (as you say) a very very long time ago? Looks like MS implemented it first, I don't know how long the standardization process took. Sometimes it takes years for that and consequently for it to show up in other browsers.

Quote:

so hopefully the author is relying on something more recent for that claim. Or hopefully not, for Firefox users.

There are definitely examples of chemspills being done very quickly in recent history, when necessary. I'd be curious to see data saying otherwise.

which says Firefox supported it since 3.0.0.6, that is, (as you say) a very very long time ago?

Sure, so hopefully things have improved since. It was painful to watch, though, and security is a process not a product; five years before authentication credentials couldn't be stolen by the simplest of XSS attacks suggests a rather broken process.

Pretty off topic so I'll try to leave off here. Old phantom limb itch or something.

which says Firefox supported it since 3.0.0.6, that is, (as you say) a very very long time ago?

Sure, so hopefully things have improved since. It was painful to watch, though, and security is a process not a product; five years before authentication credentials couldn't be stolen by the simplest of XSS attacks suggests a rather broken process.

Reading the history there, it looks like there were various complex issues with it, both in terms of should it be implemented, what should it do, and how. But as you said, this is offtopic.

The relevant fact to the article here is that the comment about Mozilla patching as slowly as Microsoft and Apple seems odd given recent history.